Why CAPTCHAs suck
Robert Hoekman Jr, usability guru and author of the brilliant Designing the Obvious conveys inside a 140-character Twitter post why CAPTCHAs suck:
“Enter correct CAPTCHA, get error, reenter chosen password, recheck checkboxes, reenter correct CAPTCHA, wash, rinse, repeat.”
Ugly. Glitchy. Problematic from a readability and accessibility standpoint. I think CAPTCHAs are horrible and I won’t be adding them to my applications.
A simple question/answer spam challenge – as on Building Findable Websites – is a far more elegant solution. This is definitely *on* the roadmap.
Recent Posts RSS
January 14th, 2009 at 5:56 pm
I’m all for open submission and comments, the capcha images on my website are low-security and relatively easy to brute force through. The biggest success for cleaning up (the constant hordes of) spam have been a series of logic spam checks behind the scenes. Occasionally I have users find me to say that one of their comments was blocked, which is unfortunate, but on the whole keeps the site clean.
Long short: I don’t like capcha either.
January 14th, 2009 at 6:08 pm
Thanks for your comment
My main issue with CAPTCHAs is that when someone goes to the trouble of sending you an email you should be pleased. I always start my replies with thanks.
Very little spam gets past my contact form and I plan to improve it further. If it became a choice however between deleting some spam and making my visitors jump through hoops, I’d choose the former every time.
January 18th, 2009 at 7:51 pm
I hate Captchas. On the other hand, I wonder how secure are those simple questions, when you have a high profile website with lots of spam potential.
I’m not a programmer, can anyone shed light on this?
January 18th, 2009 at 10:42 pm
If you had a high profile website and a spammer decided to specifically target you I don’t believe there’s a total defense that can be achieved with programming.
There are even human spam farms where people are paid to post genuine looking comments or send emails. I’ve had one or two such comments on this blog.
Since most spam is submitted by automated “bots”, I believe that the real goal is to develop a form where the difficulty of circumventing the checks outweighs the benefit of doing so. A bot isn’t going to try too hard to beat your website when it can just move on to the next…
Personally, I’d go for a spam challenge field as stated and occasionally change the question.
February 7th, 2009 at 6:23 pm
You can eliminate automated submissions of forms by just using HTML. And is 100% effective.
You do not need captchas at all really. Alex pointed out few things already. Bots are going to read the html elements of a form but you can make sure that certain html input elements must be submitted in a certain way. So now the bots to submit the right info, they have to start parsing the stylesheets and decode the css. Well good luck with that. Regardless of traffic a site may have.
Nice site Alex.
February 16th, 2009 at 5:41 pm
While what you say is true, I just noticed the Twitter signup form doesn’t work like that. If you successfully complete the CAPTCHA it won’t ask you to do it again if there is a problem else where in the form…
This is an example of good thought through design.
February 16th, 2009 at 5:49 pm
Thanks Corey, that would definitely be better than the behaviour we’ve come to expect from CAPTCHAs.
As far as RHJr is concerned, I’m not clear on *where* the form was that he was complaining about. It probably wasn’t Twitter…
June 11th, 2009 at 11:24 pm
It probably doesn’t matter about having a simple captcha on something like a comment form on a blog. However if you have a more important system to protect - such as a login system then perhaps
Designing a good captcha
would be a good idea.
Of course with a login system you could always just ban the user after X attempts or ensure they set good passwords. Captchas are getting harder to read, but computer algorithms are getting smarter - its a never ending battle - probably time we found something new.